1//! Implementations that just need to read from a file
2use crate::Error;
3use core::{
4 ffi::c_void,
5 mem::MaybeUninit,
6 sync::atomic::{AtomicI32, Ordering},
7};
8
9#[cfg(not(any(target_os = "android", target_os = "linux")))]
10pub use crate::util::{inner_u32, inner_u64};
11
12#[path = "../util_libc.rs"]
13pub(super) mod util_libc;
14
15/// For all platforms, we use `/dev/urandom` rather than `/dev/random`.
16/// For more information see the linked man pages in lib.rs.
17/// - On Linux, "/dev/urandom is preferred and sufficient in all use cases".
18/// - On Redox, only /dev/urandom is provided.
19/// - On AIX, /dev/urandom will "provide cryptographically secure output".
20/// - On Haiku and QNX Neutrino they are identical.
21const FILE_PATH: &[u8] = b"/dev/urandom\0";
22
23// File descriptor is a "nonnegative integer", so we can safely use negative sentinel values.
24const FD_UNINIT: libc::c_int = -1;
25const FD_ONGOING_INIT: libc::c_int = -2;
26
27// In theory `libc::c_int` could be something other than `i32`, but for the
28// targets we currently support that use `use_file`, it is always `i32`.
29// If/when we add support for a target where that isn't the case, we may
30// need to use a different atomic type or make other accomodations. The
31// compiler will let us know if/when that is the case, because the
32// `FD.store(fd)` would fail to compile.
33//
34// The opening of the file, by libc/libstd/etc. may write some unknown
35// state into in-process memory. (Such state may include some sanitizer
36// bookkeeping, or we might be operating in a unikernal-like environment
37// where all the "kernel" file descriptor bookkeeping is done in our
38// process.) `get_fd_locked` stores into FD using `Ordering::Release` to
39// ensure any such state is synchronized. `get_fd` loads from `FD` with
40// `Ordering::Acquire` to synchronize with it.
41static FD: AtomicI32 = AtomicI32::new(FD_UNINIT);
42
43#[inline]
44pub fn fill_inner(dest: &mut [MaybeUninit<u8>]) -> Result<(), Error> {
45 let mut fd: i32 = FD.load(order:Ordering::Acquire);
46 if fd == FD_UNINIT || fd == FD_ONGOING_INIT {
47 fd = open_or_wait()?;
48 }
49 util_libc::sys_fill_exact(buf:dest, |buf: &mut [MaybeUninit]| unsafe {
50 libc::read(fd, buf.as_mut_ptr().cast::<c_void>(), count:buf.len())
51 })
52}
53
54/// Open a file in read-only mode.
55///
56/// # Panics
57/// If `path` does not contain any zeros.
58// TODO: Move `path` to `CStr` and use `CStr::from_bytes_until_nul` (MSRV 1.69)
59// or C-string literals (MSRV 1.77) for statics
60fn open_readonly(path: &[u8]) -> Result<libc::c_int, Error> {
61 assert!(path.contains(&0));
62 loop {
63 let fd: i32 = unsafe {
64 libc::open(
65 path.as_ptr().cast::<libc::c_char>(),
66 oflag:libc::O_RDONLY | libc::O_CLOEXEC,
67 )
68 };
69 if fd >= 0 {
70 return Ok(fd);
71 }
72 let err: Error = util_libc::last_os_error();
73 // We should try again if open() was interrupted.
74 if err.raw_os_error() != Some(libc::EINTR) {
75 return Err(err);
76 }
77 }
78}
79
80#[cold]
81#[inline(never)]
82fn open_or_wait() -> Result<libc::c_int, Error> {
83 loop {
84 match FD.load(Ordering::Acquire) {
85 FD_UNINIT => {
86 let res = FD.compare_exchange_weak(
87 FD_UNINIT,
88 FD_ONGOING_INIT,
89 Ordering::AcqRel,
90 Ordering::Relaxed,
91 );
92 if res.is_ok() {
93 break;
94 }
95 }
96 FD_ONGOING_INIT => sync::wait(),
97 fd => return Ok(fd),
98 }
99 }
100
101 let res = open_fd();
102 let val = match res {
103 Ok(fd) => fd,
104 Err(_) => FD_UNINIT,
105 };
106 FD.store(val, Ordering::Release);
107
108 // On non-Linux targets `wait` is just 1 ms sleep,
109 // so we don't need any explicit wake up in addition
110 // to updating value of `FD`.
111 #[cfg(any(target_os = "android", target_os = "linux"))]
112 sync::wake();
113
114 res
115}
116
117fn open_fd() -> Result<libc::c_int, Error> {
118 #[cfg(any(target_os = "android", target_os = "linux"))]
119 sync::wait_until_rng_ready()?;
120 let fd: i32 = open_readonly(FILE_PATH)?;
121 debug_assert!(fd >= 0);
122 Ok(fd)
123}
124
125#[cfg(not(any(target_os = "android", target_os = "linux")))]
126mod sync {
127 /// Sleep 1 ms before checking `FD` again.
128 ///
129 /// On non-Linux targets the critical section only opens file,
130 /// which should not block, so in the unlikely contended case,
131 /// we can sleep-wait for the opening operation to finish.
132 pub(super) fn wait() {
133 let rqtp = libc::timespec {
134 tv_sec: 0,
135 tv_nsec: 1_000_000,
136 };
137 let mut rmtp = libc::timespec {
138 tv_sec: 0,
139 tv_nsec: 0,
140 };
141 // We do not care if sleep gets interrupted, so the return value is ignored
142 unsafe {
143 libc::nanosleep(&rqtp, &mut rmtp);
144 }
145 }
146}
147
148#[cfg(any(target_os = "android", target_os = "linux"))]
149mod sync {
150 use super::{open_readonly, util_libc::last_os_error, Error, FD, FD_ONGOING_INIT};
151
152 /// Wait for atomic `FD` to change value from `FD_ONGOING_INIT` to something else.
153 ///
154 /// Futex syscall with `FUTEX_WAIT` op puts the current thread to sleep
155 /// until futex syscall with `FUTEX_WAKE` op gets executed for `FD`.
156 ///
157 /// For more information read: https://www.man7.org/linux/man-pages/man2/futex.2.html
158 pub(super) fn wait() {
159 let op = libc::FUTEX_WAIT | libc::FUTEX_PRIVATE_FLAG;
160 let timeout_ptr = core::ptr::null::<libc::timespec>();
161 let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, FD_ONGOING_INIT, timeout_ptr) };
162 // FUTEX_WAIT should return either 0 or EAGAIN error
163 debug_assert!({
164 match ret {
165 0 => true,
166 -1 => last_os_error().raw_os_error() == Some(libc::EAGAIN),
167 _ => false,
168 }
169 });
170 }
171
172 /// Wake up all threads which wait for value of atomic `FD` to change.
173 pub(super) fn wake() {
174 let op = libc::FUTEX_WAKE | libc::FUTEX_PRIVATE_FLAG;
175 let ret = unsafe { libc::syscall(libc::SYS_futex, &FD, op, libc::INT_MAX) };
176 debug_assert!(ret >= 0);
177 }
178
179 // Polls /dev/random to make sure it is ok to read from /dev/urandom.
180 //
181 // Polling avoids draining the estimated entropy from /dev/random;
182 // short-lived processes reading even a single byte from /dev/random could
183 // be problematic if they are being executed faster than entropy is being
184 // collected.
185 //
186 // OTOH, reading a byte instead of polling is more compatible with
187 // sandboxes that disallow `poll()` but which allow reading /dev/random,
188 // e.g. sandboxes that assume that `poll()` is for network I/O. This way,
189 // fewer applications will have to insert pre-sandbox-initialization logic.
190 // Often (blocking) file I/O is not allowed in such early phases of an
191 // application for performance and/or security reasons.
192 //
193 // It is hard to write a sandbox policy to support `libc::poll()` because
194 // it may invoke the `poll`, `ppoll`, `ppoll_time64` (since Linux 5.1, with
195 // newer versions of glibc), and/or (rarely, and probably only on ancient
196 // systems) `select`. depending on the libc implementation (e.g. glibc vs
197 // musl), libc version, potentially the kernel version at runtime, and/or
198 // the target architecture.
199 //
200 // BoringSSL and libstd don't try to protect against insecure output from
201 // `/dev/urandom'; they don't open `/dev/random` at all.
202 //
203 // OpenSSL uses `libc::select()` unless the `dev/random` file descriptor
204 // is too large; if it is too large then it does what we do here.
205 //
206 // libsodium uses `libc::poll` similarly to this.
207 pub(super) fn wait_until_rng_ready() -> Result<(), Error> {
208 let fd = open_readonly(b"/dev/random\0")?;
209 let mut pfd = libc::pollfd {
210 fd,
211 events: libc::POLLIN,
212 revents: 0,
213 };
214
215 let res = loop {
216 // A negative timeout means an infinite timeout.
217 let res = unsafe { libc::poll(&mut pfd, 1, -1) };
218 if res >= 0 {
219 // We only used one fd, and cannot timeout.
220 debug_assert_eq!(res, 1);
221 break Ok(());
222 }
223 let err = last_os_error();
224 // Assuming that `poll` is called correctly,
225 // on Linux it can return only EINTR and ENOMEM errors.
226 match err.raw_os_error() {
227 Some(libc::EINTR) => continue,
228 _ => break Err(err),
229 }
230 };
231 unsafe { libc::close(fd) };
232 res
233 }
234}
235